Vulnerabilities Found #414
Comments
|
Hi @ganeshv2911, First of all, thanks for reporting them. We're going to analyze our internal security scans and:
|
|
Hi! A new version of the image renderer has been released and contains updated libraries. CVE-2020-27748 (xdg-utils) is still there but is related to emails (Thunderbird) and this is not used by the image renderer. |
|
Hi, |
|
Hi, You can see in the changelog that, in the image renderer itself, Also, when we make a new release, the base Docker image and Chromium are updated. I don't have the list of the libraries that were updated doing that but, from the list of vulnerabilities that were present before 3.7.0 and that are now gone, I can say at least these libraries were updated: ffmpeg-libs (Chromium), http-cache-semantics (base Docker image), gnutls (base Docker image). |
|
Hi, |
|
Yes but the base image can be updated. It's built with this Dockerfile and if you look into the file history, you can see that the NodeJS library has been updated to 16.20.0 (and the changelog for this version is here: https://github.com/nodejs/node/releases/tag/v16.20.0) |
|
Hi , |
|
It's updated separately, latest version of Chromium is downloaded each time we create a new Docker image, see: https://github.com/grafana/grafana-image-renderer/blob/master/Dockerfile#L13. |
|
Thanks for your quick replies. |
Hi Team,
In our recent scans we found the below components flagged as Vulnerabilities:
Components
openssl.cnf/openssl.cnf.dist/engines-3 OpenSSL3.0.7
ajv6.10.0
avahi-libs/0.8-r9/x86_64
ffmpeg-libs/5.1.2-r1/x86_64
libgd/2.3.3-r6/x86_64
mbedtls/2.28.2-r0/x86_64
libcrypto3/3.0.8-r0/x86_64
libssl3/3.0.8-r0/x86_64
xdg-utils/1.1.3-r4/noarch
We need to know how these components are being used in image renderer code?
Appreciate the Help.
Regards,
GV
The text was updated successfully, but these errors were encountered: